Uber has an account security issue and it seems they want to ignore it

:: updated Dec 6, 2016 (see end) ::

Uber has an account security issue and support is either not taking the problem seriously, or they do not understand the risk. This was brought further to my attention today when we were able to gain access to another rider’s account using a simple password reset.

[hr]

Summary

Received over 200 emails from Uber trips completed in Kenya (we live in Australia)

Uber support fails to resolve the issue of a non-verified email account

We’re able to take control of the rider’s account using a simple password reset

[hr]

Since July my partner has received over 200 messages in her Gmail account addressed to a rider in Nairobi, Kenya who sometimes completes trips several times a day. We live in Brisbane, Australia.

Uber Kenya Trip emails received

After being told by Uber’s Support that they are no longer willing to assist with the problem, we were able to login to the Kenyan rider’s account and view their personal details including:

full name

phone number

payment method

detailed maps of every trip they have taken since they started using the service, thus we can infer with high probability their home address and common travel destinations.

Rider’s account details

How were we able able to do this?

By simply going to uber.com requesting a password reset. The only difference we made when doing this, was omitting the period my partner usually uses with her Gmail email address. Since Google does not differentiate Gmail email addresses with periods or letter case (an issue we highlighted multiple times with Uber support) we received the automated email to reset the password. We were instantly able to set a new password and login using the email address sans period, and the new password. We now have complete control of this user’s account in Kenya.

Rider’s trip history

Uber support experience

Uber’s account policy not requiring a verified email address upon signup means anyone could mistakenly add an incorrect Gmail address to their rider account, which opens them up to this simple to execute privacy breach.

Uber’s help page suggests that they take security seriously, but the support experience tends to suggest otherwise. At first the constant barrage of emails was annoying, and we could have filtered the Uber Kenya emails straight to the Gmail Spam folder and moved on. However, it was the blatant security issue that prompted the ongoing back and forth dialogue with multiple people at Uber support, which has led to the writing of this post after we were able to gain another rider’s account so easily.

After countless emails over the past five months, Uber support have suggested filtering the emails to Spam (this will not solve the security issue) and even acquiring a new email address, which is frankly a ridiculous suggestion for a customer your company would likely wish to retain.

After this frustration, I decided we had to speak to someone locally. I searched LinkedIn for Uber staff located in Brisbane and connected with a few of them. I messaged Jess, from the Community Operations team who was responsive and keen to help, even while she was away from the office on leave. Jess forwarded the message to someone who would look into it, and after a few days the Kenyan completed trip emails stopped appearing.

A couple of weeks later, the emails started again, so we made again reached out to support unable to get any response. Again we had to message Uber staff via LinkedIn messages to restart communication. At this stage, Uber didn’t want to deal with the issue again and sent these messages suggesting to take the issue up with Google.

After a brief response from us, support have marked the case ‘Resolved’, and reiterated they are not willing to help further, which they could simply do by reaching out to the Kenyan rider to ensure their email address is correctly verified.

What does this mean now?

I have the ability to access to someone else’s account and private data, Uber needs to understand the issue here that there are likely many other similar cases that could occur with malicious intent, hence making this support case open for public viewing.

Uber’s support have ‘resolved’ the case, while another rider’s account security still remains compromised.

I welcome comments below and hopefully this gets to someone at Uber who either knows or cares enough to follow it up appropriately.

Update:

After referring Uber support to this article they deleted the other user’s account we had managed to access. I’m glad they did this as I felt uneasy having that access, however they’ve simply left it at that, and it is unlikely that any actual followup will occur with regards to how they manage their rider’s security. A shame, but not really surprising at this point.

3 thoughts on “Uber has an account security issue and it seems they want to ignore it”

Great write up. Unfortunately this is not surprising, and seen all to often. I for one have others register accounts using my email address on a regular basis. The users that use my accounts simply validate their accounts via other means, such as their mobile number, or no validation is required at all.

I’m conflicted on who owns responsibility in these instances.

On one hand, if Person A uses the email account of Person B (yourself) to avoid using their own email account, they invite ownership re-homing. I feel a reasonable amount of ownership when my email address is used, and i promptly reset ‘my’ password. Person A should find the magic of a dummy email address. Indeed it’s not that hard. If Person A doesn’t, if they use the account of Person B, account ownership, personally, becomes quite grey.

I always use my identity, my details, when i register to use services, just as i would a gym membership. Why do we find it acceptable to be dishonest online? We shouldn’t, it’s unacceptable. But it happens… I feel no pity for these people though, and I hold the company with very little responsibility in most instances. It’s akin to logging into a banking account at an internet kiosk, and leaving the console unlocked whilst going to the bathroom.

Customers have responsibility for their actions.

On the other hand, these systems can hold data that could put Person A at risk; such as financial, reputation, or safety loss. In these instances I do firmly believe that greater ownership should be held by the provider. In Uber’s example, Person A’s safety is at risk, as is their financial position. You know where they live, and a temporary Visa card could readily harvest their earnings. If more publicly known, this could be exploited more often than it is today.

It’s simple, password recovery should ALWAYS require validation via the same means as the original registration, and registration verification shouldn’t be a discussion point within application design. Security questions, whilst having their weaknesses, also provide an alternate ‘shared secret’ that can be used for the same process. In any instance, it shouldn’t be a ‘click once’ process to take account ownership as you have in this instance.

In this instance, I call mutual responsibility. Uber need to up the ante on their controls, and their customer service.